Project

General

Profile

Actions
Copy link

Bug #607

closed

vboot-vscvd-ranges are never populated correctly

Added by Maximilian Brune 3 days ago. Updated 3 days ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
chipset configuration
Target version:
none
Start date:
08/20/2025
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
all hardware that uses VBOOT_GSCVD
Affected OS:

Description

I worked on the amdfwread tool and I noticed that it is used by AMD common Makefiles for VBOOT:
https://github.com/coreboot/coreboot/blob/ee347d88120bca22d64a1581cd91eee786e2d7db/src/soc/amd/common/Makefile.mk#L65
It apparently creates a file called "ro-amdfw-list" which contains address ranges for the regions that are needed by VBOOT toolings so that it knows which regions to protect with a signature?
The problem is that I noticed that the file is read before it even exists:
https://github.com/coreboot/coreboot/blob/ee347d88120bca22d64a1581cd91eee786e2d7db/src/soc/amd/phoenix/Makefile.mk#L375
The file is created during "build_complete", but it is queried at the beginning of the build process, which causes the "vboot-gscvd-ranges" variable to contain "error" entries instead of actual regions. Looking at the code, it seems this has never worked from the beginning. Since this potentially security relevant (although I don't know to which degree since I am unfamiliar with the GSCVD implementation), it should be addressed.

Actions
Copy link
 #1

Updated by Maximilian Brune 3 days ago

This patch seems to be the origin of this:
https://review.coreboot.org/c/coreboot/+/66945

Actions
Copy link
 #2

Updated by Maximilian Brune 3 days ago

  • Status changed from Response Needed to Resolved
  • Priority changed from High to Low

Not an issue after all, since Makefiles lazy evaluation of variables is used.

Actions
Copy link

Also available in: Atom PDF